Warning: Permanently added '10.128.1.40' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 56.939273][ T83] usb 6-1: new high-speed USB device number 2 using dummy_hcd [ 56.949228][ T5] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 56.956789][ T1738] usb 3-1: new high-speed USB device number 2 using dummy_hcd [ 56.959953][ T17] usb 2-1: new high-speed USB device number 2 using dummy_hcd [ 56.964318][ T12] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 56.979260][ T102] usb 4-1: new high-speed USB device number 2 using dummy_hcd [ 57.179285][ T83] usb 6-1: Using ep0 maxpacket: 16 [ 57.209229][ T17] usb 2-1: Using ep0 maxpacket: 16 [ 57.229270][ T102] usb 4-1: Using ep0 maxpacket: 16 [ 57.234590][ T1738] usb 3-1: Using ep0 maxpacket: 16 [ 57.239788][ T5] usb 5-1: Using ep0 maxpacket: 16 [ 57.244964][ T12] usb 1-1: Using ep0 maxpacket: 16 [ 57.299339][ T83] usb 6-1: config 0 has an invalid interface number: 133 but max is 0 [ 57.307864][ T83] usb 6-1: config 0 has no interface number 0 [ 57.314355][ T83] usb 6-1: config 0 interface 133 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 6 [ 57.327454][ T83] usb 6-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 57.336676][ T83] usb 6-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 57.344740][ T17] usb 2-1: config 0 has an invalid interface number: 133 but max is 0 [ 57.352949][ T17] usb 2-1: config 0 has no interface number 0 [ 57.359514][ T102] usb 4-1: config 0 has an invalid interface number: 133 but max is 0 [ 57.360036][ T17] usb 2-1: config 0 interface 133 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 6 [ 57.367739][ T102] usb 4-1: config 0 has no interface number 0 [ 57.380755][ T17] usb 2-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 57.380766][ T17] usb 2-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 57.382363][ T83] usb 6-1: config 0 descriptor?? [ 57.386976][ T5] usb 5-1: config 0 has an invalid interface number: 133 but max is 0 [ 57.400647][ T17] usb 2-1: config 0 descriptor?? [ 57.404141][ T5] usb 5-1: config 0 has no interface number 0 [ 57.407347][ T1738] usb 3-1: config 0 has an invalid interface number: 133 but max is 0 [ 57.436899][ T1738] usb 3-1: config 0 has no interface number 0 [ 57.443054][ T12] usb 1-1: config 0 has an invalid interface number: 133 but max is 0 [ 57.451279][ T12] usb 1-1: config 0 has no interface number 0 [ 57.451834][ T17] rio500 2-1:0.133: USB Rio found at address 2 [ 57.459378][ T12] usb 1-1: config 0 interface 133 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 6 [ 57.469062][ T83] rio500 6-1:0.133: USB Rio found at address 2 [ 57.476938][ T12] usb 1-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 57.476954][ T12] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 57.500272][ T102] usb 4-1: config 0 interface 133 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 6 [ 57.513513][ T102] usb 4-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 57.522676][ T102] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 57.530780][ T5] usb 5-1: config 0 interface 133 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 6 [ 57.543901][ T5] usb 5-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 57.553081][ T5] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 57.561264][ T1738] usb 3-1: config 0 interface 133 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 6 [ 57.575414][ T1738] usb 3-1: New USB device found, idVendor=0841, idProduct=0001, bcdDevice=c5.d0 [ 57.585986][ T1738] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 57.595302][ T102] usb 4-1: config 0 descriptor?? [ 57.601023][ T12] usb 1-1: config 0 descriptor?? [ 57.606456][ T5] usb 5-1: config 0 descriptor?? [ 57.613094][ T1738] usb 3-1: config 0 descriptor?? [ 57.640951][ T12] rio500 1-1:0.133: Second USB Rio at address 2 refused executing program executing program [ 57.648412][ T12] rio500: probe of 1-1:0.133 failed with error -16 [ 57.658464][ T83] usb 2-1: USB disconnect, device number 2 [ 57.665649][ T17] usb 6-1: USB disconnect, device number 2 [ 57.670804][ T102] rio500 4-1:0.133: Second USB Rio at address 2 refused [ 57.676611][ T17] rio500 6-1:0.133: USB Rio disconnected. [ 57.680948][ T5] rio500 5-1:0.133: Second USB Rio at address 2 refused [ 57.686136][ T83] ================================================================== [ 57.693954][ T1738] rio500 3-1:0.133: USB Rio found at address 2 [ 57.700606][ T83] BUG: KASAN: double-free or invalid-free in disconnect_rio+0x12b/0x1b0 [ 57.700609][ T83] [ 57.700624][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Not tainted 5.3.0+ #0 [ 57.700630][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.700650][ T83] Workqueue: usb_hub_wq hub_event [ 57.720083][ T102] rio500: probe of 4-1:0.133 failed with error -16 [ 57.724595][ T83] Call Trace: [ 57.724619][ T83] dump_stack+0xca/0x13e [ 57.724636][ T83] print_address_description+0x6a/0x32c [ 57.724655][ T83] ? disconnect_rio+0x12b/0x1b0 [ 57.735040][ T5] rio500: probe of 5-1:0.133 failed with error -16 [ 57.739864][ T83] kasan_report_invalid_free+0x61/0xa0 [ 57.739883][ T83] ? disconnect_rio+0x12b/0x1b0 [ 57.739892][ T83] __kasan_slab_free+0x162/0x180 [ 57.739903][ T83] ? disconnect_rio+0x12b/0x1b0 [ 57.739918][ T83] kfree+0xe4/0x2f0 [ 57.794839][ T83] disconnect_rio+0x12b/0x1b0 [ 57.799543][ T83] usb_unbind_interface+0x1bd/0x8a0 [ 57.804746][ T83] ? usb_autoresume_device+0x60/0x60 [ 57.810017][ T83] device_release_driver_internal+0x42f/0x500 [ 57.816191][ T83] bus_remove_device+0x2dc/0x4a0 [ 57.821276][ T83] device_del+0x420/0xb10 [ 57.825712][ T83] ? __device_links_no_driver+0x240/0x240 [ 57.831430][ T83] ? lockdep_hardirqs_on+0x379/0x580 [ 57.836702][ T83] ? remove_intf_ep_devs+0x13f/0x1d0 [ 57.841978][ T83] usb_disable_device+0x211/0x690 [ 57.847175][ T83] usb_disconnect+0x284/0x8d0 [ 57.851852][ T83] hub_event+0x1454/0x3640 [ 57.856498][ T83] ? find_held_lock+0x2d/0x110 [ 57.861252][ T83] ? mark_held_locks+0xe0/0xe0 [ 57.866149][ T83] ? hub_port_debounce+0x260/0x260 [ 57.870891][ T102] usb 4-1: USB disconnect, device number 2 [ 57.871338][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 57.882661][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 57.886427][ T5] usb 5-1: USB disconnect, device number 2 [ 57.887954][ T83] process_one_work+0x92b/0x1530 [ 57.887973][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 57.904267][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 57.909310][ T83] worker_thread+0x96/0xe20 [ 57.913799][ T83] ? process_one_work+0x1530/0x1530 [ 57.918989][ T83] kthread+0x318/0x420 [ 57.923051][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 57.928419][ T83] ret_from_fork+0x24/0x30 [ 57.932817][ T83] [ 57.935131][ T83] Allocated by task 83: [ 57.939274][ T83] save_stack+0x1b/0x80 [ 57.943424][ T83] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 57.949087][ T83] probe_rio+0x135/0x248 [ 57.953331][ T83] usb_probe_interface+0x305/0x7a0 [ 57.958443][ T83] really_probe+0x281/0x6d0 [ 57.962925][ T83] driver_probe_device+0x101/0x1b0 [ 57.968017][ T83] __device_attach_driver+0x1c2/0x220 [ 57.974152][ T83] bus_for_each_drv+0x162/0x1e0 [ 57.978988][ T83] __device_attach+0x217/0x360 [ 57.983733][ T83] bus_probe_device+0x1e4/0x290 [ 57.988594][ T83] device_add+0xae6/0x16f0 [ 57.993011][ T83] usb_set_configuration+0xdf6/0x1670 [ 57.998389][ T83] generic_probe+0x9d/0xd5 [ 58.002808][ T83] usb_probe_device+0x99/0x100 [ 58.007566][ T83] really_probe+0x281/0x6d0 [ 58.012097][ T83] driver_probe_device+0x101/0x1b0 [ 58.017192][ T83] __device_attach_driver+0x1c2/0x220 [ 58.022546][ T83] bus_for_each_drv+0x162/0x1e0 [ 58.027374][ T83] __device_attach+0x217/0x360 [ 58.032131][ T83] bus_probe_device+0x1e4/0x290 [ 58.036979][ T83] device_add+0xae6/0x16f0 [ 58.041389][ T83] usb_new_device.cold+0x6a4/0xe79 [ 58.046509][ T83] hub_event+0x1b5c/0x3640 [ 58.050918][ T83] process_one_work+0x92b/0x1530 [ 58.055844][ T83] worker_thread+0x96/0xe20 [ 58.060340][ T83] kthread+0x318/0x420 [ 58.064392][ T83] ret_from_fork+0x24/0x30 [ 58.068782][ T83] [ 58.071086][ T83] Freed by task 17: [ 58.074967][ T83] save_stack+0x1b/0x80 [ 58.079125][ T83] __kasan_slab_free+0x130/0x180 [ 58.084066][ T83] kfree+0xe4/0x2f0 [ 58.087857][ T83] disconnect_rio+0x12b/0x1b0 [ 58.092518][ T83] usb_unbind_interface+0x1bd/0x8a0 [ 58.098757][ T83] device_release_driver_internal+0x42f/0x500 [ 58.104822][ T83] bus_remove_device+0x2dc/0x4a0 [ 58.109750][ T83] device_del+0x420/0xb10 [ 58.114169][ T83] usb_disable_device+0x211/0x690 [ 58.119179][ T83] usb_disconnect+0x284/0x8d0 [ 58.123850][ T83] hub_event+0x1454/0x3640 [ 58.128279][ T83] process_one_work+0x92b/0x1530 [ 58.133211][ T83] worker_thread+0x96/0xe20 [ 58.138109][ T83] kthread+0x318/0x420 [ 58.142408][ T83] ret_from_fork+0x24/0x30 [ 58.146930][ T83] [ 58.150042][ T83] The buggy address belongs to the object at ffff8881d5488000 [ 58.150042][ T83] which belongs to the cache kmalloc-4k of size 4096 [ 58.164094][ T83] The buggy address is located 0 bytes inside of [ 58.164094][ T83] 4096-byte region [ffff8881d5488000, ffff8881d5489000) [ 58.177286][ T83] The buggy address belongs to the page: [ 58.182936][ T83] page:ffffea0007552200 refcount:1 mapcount:0 mapping:ffff8881da00c280 index:0x0 compound_mapcount: 0 [ 58.194552][ T83] flags: 0x200000000010200(slab|head) [ 58.199915][ T83] raw: 0200000000010200 dead000000000100 dead000000000122 ffff8881da00c280 [ 58.209719][ T83] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 [ 58.218580][ T83] page dumped because: kasan: bad access detected [ 58.224983][ T83] [ 58.227291][ T83] Memory state around the buggy address: [ 58.232906][ T83] ffff8881d5487f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.240958][ T83] ffff8881d5487f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc executing program [ 58.249191][ T83] >ffff8881d5488000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.257249][ T83] ^ [ 58.261562][ T83] ffff8881d5488080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.269604][ T83] ffff8881d5488100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.277658][ T83] ================================================================== [ 58.285702][ T83] Disabling lock debugging due to kernel taint [ 58.292106][ T83] Kernel panic - not syncing: panic_on_warn set ... [ 58.298705][ T83] CPU: 1 PID: 83 Comm: kworker/1:2 Tainted: G B 5.3.0+ #0 [ 58.307103][ T83] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.317155][ T83] Workqueue: usb_hub_wq hub_event [ 58.322159][ T83] Call Trace: [ 58.325968][ T83] dump_stack+0xca/0x13e [ 58.330189][ T83] panic+0x2a3/0x6da [ 58.334076][ T83] ? add_taint.cold+0x16/0x16 [ 58.338731][ T83] ? disconnect_rio+0x12b/0x1b0 [ 58.343567][ T83] ? trace_hardirqs_on+0x55/0x1e0 [ 58.348584][ T83] ? disconnect_rio+0x12b/0x1b0 [ 58.353412][ T83] end_report+0x43/0x49 [ 58.357548][ T83] kasan_report_invalid_free+0x7d/0xa0 [ 58.362995][ T83] ? disconnect_rio+0x12b/0x1b0 [ 58.367827][ T83] __kasan_slab_free+0x162/0x180 [ 58.372765][ T83] ? disconnect_rio+0x12b/0x1b0 [ 58.377591][ T83] kfree+0xe4/0x2f0 [ 58.381393][ T83] disconnect_rio+0x12b/0x1b0 [ 58.386069][ T83] usb_unbind_interface+0x1bd/0x8a0 [ 58.391246][ T83] ? usb_autoresume_device+0x60/0x60 [ 58.396524][ T83] device_release_driver_internal+0x42f/0x500 [ 58.402571][ T83] bus_remove_device+0x2dc/0x4a0 [ 58.407501][ T83] device_del+0x420/0xb10 [ 58.411821][ T83] ? __device_links_no_driver+0x240/0x240 [ 58.417782][ T83] ? lockdep_hardirqs_on+0x379/0x580 [ 58.423050][ T83] ? remove_intf_ep_devs+0x13f/0x1d0 [ 58.428327][ T83] usb_disable_device+0x211/0x690 [ 58.433431][ T83] usb_disconnect+0x284/0x8d0 [ 58.438368][ T83] hub_event+0x1454/0x3640 [ 58.445031][ T83] ? find_held_lock+0x2d/0x110 [ 58.449864][ T83] ? mark_held_locks+0xe0/0xe0 [ 58.454607][ T83] ? hub_port_debounce+0x260/0x260 [ 58.459703][ T83] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 58.465232][ T83] ? rcu_read_lock_bh_held+0xb0/0xb0 [ 58.470499][ T83] process_one_work+0x92b/0x1530 [ 58.475420][ T83] ? pwq_dec_nr_in_flight+0x310/0x310 [ 58.480779][ T83] ? do_raw_spin_lock+0x11a/0x280 [ 58.485781][ T83] worker_thread+0x96/0xe20 [ 58.490265][ T83] ? process_one_work+0x1530/0x1530 [ 58.495441][ T83] kthread+0x318/0x420 [ 58.499490][ T83] ? kthread_create_on_node+0xf0/0xf0 [ 58.504841][ T83] ret_from_fork+0x24/0x30 [ 58.510159][ T83] Kernel Offset: disabled [ 58.514526][ T83] Rebooting in 86400 seconds..